Re: NAT-problem!

ttkmm · ‎08-21-2006

I have a server with ip 10.2.1.4 in a network 10.2.1.x .

I want to get to that server from another server 10.2.15.2 .

Why is this not working???

This is my config on the 2611xm-gateway:

=================================

interface FastEthernet0/0

description InternLAN

ip address 10.2.1.222 255.255.255.0

ip nat inside

speed auto

half-duplex

!

interface FastEthernet0/1

description ExternalLAN

ip address 10.2.15.1 255.255.255.0

ip nat outside

speed auto

half-duplex

!

ip nat pool firstpool 10.2.1.222 10.2.1.222 netmask 255.255.255.0

ip nat outside source list 1 pool firstpool

ip classless

ip route 0.0.0.0 0.0.0.0 10.2.1.222

ip http server

!

access-list 1 permit 10.2.15.2

==============================

Hope somebody can help me please!

Regards,

Kenneth

mehrdad · ‎08-21-2006

why NAT? if you're going to connect to 10.2.1.4 from 10.2.15.2, it needs routing between two subnet which connect to fastethernet0/0 and fastethernet 0/1.

ttkmm · ‎08-21-2006

Could I just make a

ip route 10.2.15.0 0.0.0.0 10.2.1.2 ?

And maybe have a acl like this:

access-list 1 permit 10.2.15.2

to allow only that host to connect to the server 10.2.1.4 ?

mehrdad · ‎08-21-2006

You don't need any route, just set gateway on each server.

- server 1

ip : 10.2.1.4

mask : 255.255.255.0

gateway : 10.2.1.222

- server 2

ip : 10.2.15.2

mask : 255.255.255.0

gateway : 10.2.15.1

note : don't forget to remove all NAT configuration

ttkmm · ‎08-21-2006

This looks almost too easy 😉

Thank you very much for these very helpfull answers!

And if I want to just open port tcp 4100 to the 10.2.1.4 from 10.2.15.2, and tcp 3389 both ways I can make this acl:

access-list 1 permit tcp 10.2.15.2 0.0.0.0 10.2.1.4 eq 4100

access-list 1 permit tcp 10.2.15.2 0.0.0.0 10.2.1.4 eq 3389

access-list 1 permit tcp 10.2.15.2 0.0.0.0 10.2.1.4 eq 21

??

mehrdad · ‎08-21-2006

as I understand please see below :

access-list 101 permit tcp 10.2.15.2 0.0.0.0 10.2.1.4 eq 4100

access-list 101 permit tcp 10.2.15.2 0.0.0.0 10.2.1.4 eq 3389

access-list 101 permit tcp any host 10.2.15.1 eq 23

access-list 101 deny ip any any

access-list 102 permit tcp 10.2.1.4 0.0.0.0 10.2.15.2 eq 3389

access-list 102 permit tcp any host 10.2.1.222 eq 23

access-list 102 deny ip any any

interface FastEthernet0/0

access-group 102 in

interface FastEthernet0/1

access-group 101 in

at this acls ,added permit any hosts to telnet to router at its subnet

Please rate if my answers are helpful

ttkmm · ‎08-21-2006

It looks like this could solve my problem!

But when I cannot use the "access-group"-command. Why? Do I have wrong sw?

router(config-if)#?

Interface configuration commands:

access-expression Build a bridge boolean access expression

arp Set arp type (arpa, probe, snap) or timeout

****************

router#sh ver

Cisco Internetwork Operating System Software

IOS (tm) C2600 Software (C2600-I-M), Version 12.2(1b), RELEASE SOFTWARE (fc1)

Compiled Thu 14-Jun-01 20:24 by pwade

Image text-base: 0x80008088, data-base: 0x8097F2AC

ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)

sara-nat uptime is 21 hours, 34 minutes

System returned to ROM by reload

System image file is "flash:c2600-i-mz.122-1b"

****************************

a.hajhamad · ‎08-22-2006

Hi again,

ip access-group ----- in or out not access-group

Abd Alqader

ttkmm · ‎08-22-2006

Hehe!

Yes, I figured it out. Don't know where my head was 🙂

I'll try the config tomorrow. Seems like a good solution.

Thank you so far! I'll let you know if it's working.

Kenneth

a.hajhamad · ‎08-21-2006

Hi Kenneth,

The following document will help you

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml#topic10

Please rate if it does!

Thanks

Abd Alqader